easy-search hijack

Discussion in 'adware, spyware & hijack cleaning' started by chris, May 9, 2004.

Thread Status:
Not open for further replies.
  1. chris

    chris Registered Member

    Joined:
    May 3, 2004
    Posts:
    6
    Hi,
    My Internet Explorer homepage is being hijacked by easy-search.biz. I've run Hijack This and Spybot before and after rebooting but the evil little devil lingers. Here is my latest log.

    Logfile of HijackThis v1.95.0
    Scan saved at 4:43:03 PM, on 5/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\wanmpsvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe
    C:\WINNT\runwin32.exe
    C:\WINNT\wininet32.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    c:\program files\internet explorer\iexplore.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://easy-search.biz
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://easy-search.biz
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar99.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe
    O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe
    O4 - HKCU\..\Run: [wininet32] C:\WINNT\wininet32.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.7029166667
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://66.230.143.209/loader/dploader.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

    Any help or suggestions would be greatly appreciated.

    Thank You Very Much,

    Chris
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Chris,

    You are using an outdated version of Hijackthis, first follow fixes and after doing so post a follow-up log using the latest version : HijackThis 1.97.7

    have only Hijackthis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://easy-search.biz
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://easy-search.biz
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://easy-search.biz
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://easy-search.biz
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://easy-search.biz

    O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe
    O4 - HKCU\..\Run: [wininet32] C:\WINNT\wininet32.exe

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://66.230.143.209/loader/dploader.cab

    Restart PC after doing so and remove :

    C:\WINNT\runwin32.exe <- this file
    C:\WINNT\wininet32.exe <- this file

    Hope this helps

    Cheers,
     
  3. chris

    chris Registered Member

    Joined:
    May 3, 2004
    Posts:
    6
    Hi Unzy,
    Your suggestions seemed to have done the trick. Thank you very much. Here is my latest log, just in case:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:13:52 PM, on 5/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\wanmpsvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar99.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe
    O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.7029166667
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0D3F2E26-16B0-43D3-9E24-96FDE8899462}: NameServer = 205.188.146.146
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0D3F2E26-16B0-43D3-9E24-96FDE8899462}: NameServer = 205.188.146.146

    Love your beautiful country...love your exquisite Belgian beer perhaps even more. Thanks again.

    Chris
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Chris,

    You're welcome

    Glad we were able to help and good job cleaning up

    Thnx :D I second that!

    Take care

    Cheers,
     
Thread Status:
Not open for further replies.